Cyber Shelf

// Comparison

Applied Network Security Monitoring vs Linux Firewalls: Which Should You Read?

Two cybersecurity books on Networking, compared honestly: who each is for, what each does best, and which to read first.

Intermediate
4/52013
Applied Network Security Monitoring

Collection, Detection, and Analysis

Chris Sanders, Jason Smith

A practitioner's walkthrough of building an NSM capability end to end, from deciding what to collect through detection and the analysis workflow that ties it together. The tooling is dated, but the way it teaches you to think about monitoring is not.

Intermediate
4/52007
Linux Firewalls

Attack Detection and Response with iptables, psad, and fwsnort

Michael Rash

Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.

Read this if

SOC analysts and aspiring detection engineers who want a structured mental model for collection, detection, and analysis rather than a pile of disconnected tooling tutorials.
Linux administrators and defensive practitioners who need to actually configure a firewall, not just understand the concept. Rash's iptables coverage remains the cleanest practical introduction; psad and fwsnort for the active-response side.

Skip this if

Anyone hoping for a current toolkit. Skip this if you want hands-on Zeek/Suricata/Elastic configs you can paste today, the commands here have aged out.
Readers fully on nftables / firewalld / cloud-native security groups, or anyone wanting an architecture-level treatise. The book is hands-on iptables rules and analysis, not a strategic frame.

Key takeaways

  • Collection is a deliberate decision, not a default. Decide what data matters before you drown in everything.
  • The book's split of detection into signature, anomaly, and statistical approaches still maps cleanly onto how modern stacks work.
  • Analysis is a discipline with a workflow, not improvised packet-staring, and that framing is the most durable thing here.
  • iptables remains the foundational mental model; even in nftables-or-eBPF environments, understanding match-and-target chains is required to read the rule sets the field still ships.
  • Active response is a real defensive option that's easy to overstate; the book's chapter on the trade-offs is appropriately cautious.
  • Port scanning detection (psad) and signature-based blocking (fwsnort) are still useful primitives that punch above their weight in budget-constrained environments.

How they compare

Applied Network Security Monitoring and Linux Firewalls are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Applied Network Security Monitoring and Linux Firewalls both cover Networking, Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

Applied Network Security Monitoring

Alternatives to Applied Network Security MonitoringWhat to read after Applied Network Security Monitoring

Linux Firewalls

Alternatives to Linux FirewallsWhat to read after Linux Firewalls

Related topics

NetworkingDefensive